Tagged Questions

I have been asking myself for a while what's the purpose of that popup showing up in pretty much all the modern browsers upon entering the full-screen mode of a video or website.
It appears to be a ...

Currently, there is an HTML form/input attribute called autocomplete, which, when set to off, disables autocomplete/autofill for that form or element.
Some banks seem to use this to prevent password ...

I recently learned that SVG (Scalable Vector Graphics) images introduce a number of opportunities for subtle attacks on the web. (See paper below.) While SVG images may look like an image, the file ...

I am sorry if this is a too trivial question, but once I was told that only a fool is sure of anything: as I am not sure about this question, I am willing to risk my neck by asking it anyway, all in ...

Is there any problem with outputing a user's password to the HTML in an hidden field (see use case below before flaming xD)?
The use case is a registration form with two steps. The user fills in the ...

I'm going to be developing a single page JavaScript app which allows input via a textarea. This input is never sent to the server, never shown to another user, and will only be persisted in browser ...

Drupal filters HTML strings against XSS attacks using regexes: http://api.drupal.org/api/drupal/includes%21common.inc/function/filter_xss/7
However, as a lot of people know, HTML can't be parsed with ...

I'm combing through a legacy app updating SQL to prevent Injections and XSS vulnerabilities. I know to apply PHP's htmlspecialchars() anything that is directly passed to a script and displayed on a ...

I don't know where to start in searching the forum for existing threads that might cover my issues.
I recently received a spoof email pretending to be from a client for whom I've just started to do ...

I have read this article on how a scripted web page is able to obtain the visited history of a user browsing the page. However, I can't find any clear information in the article describing the extent ...

Originally I was under the impression that a particular page on a site I visited was showing an insecure content warning in my browsers due to the tags on the page having plan http href attributes.
...

This is kind of a bar-bet question. An acquaintance of mine has made the claim that, given an arbitrary glob of HTML, it can be completely prevented from executing JavaScript if, before slapping it ...